Article

P3CA: private anomaly detection across ISP networks

Authors:

Shishir Nagaraja,

Virajith Jalaparti,

Matthew Caesar,

Nikita BorisovAuthors Info & Claims

PETS'11: Proceedings of the 11th international conference on Privacy enhancing technologies

Pages 38 - 56

Published: 27 July 2011 Publication History

Abstract

Detection of malicious traffic in the Internet would be much easier if ISP networks shared their traffic traces. Unfortunately, state-ofthe-art anomaly detection algorithms require detailed traffic information which is considered extremely private by operators. To address this, we propose an algorithm that allows ISPs to cooperatively detect anomalies without requiring them to reveal private traffic information. We leverage secure multiparty computation to design a privacy-preserving variant of principal component analysis (PCA) that limits information propagation across domains. PCA is a well-proven technique for isolating anomalies on network traffic and we target a design that retains its scalability and accuracy. To validate our approach, we evaluate an implementation of our design against traces from the Abilene Internet2 IP backbone network as well as synthetic traces, show that it performs efficiently to support an online anomaly detection system and and conclude that privacy-preserving anomaly detection shows promise as a key element of a wider network anomaly detection framework. In the presence of increasingly serious threats from modern networked malware, our work provides a first step towards enabling larger-scale cooperation across ISPs in the presence of privacy concerns.

References

[1]

http://acsc.cs.utexas.edu/libpaillier/

[2]

http://www.internet2.edu/network/

[3]

A Border Gateway Protocol 4 (BGP-4). RFC 4271.

[4]

Private communication, employee of tier-1 ISP (2006).

[5]

Aggarwal, G., Mishra, N., Pinkas, B.: Secure computation of the kth-ranked element. In: Eurocyrpt (2004).

[6]

Beaver, D., Goldwasser, S.: Multiparty computation with faulty majority. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, Springer, Heidelberg (1990).

Digital Library

[7]

Chen, H., Cramer, R.: Algebraic geometric secret sharing schemes and secure multiparty computations over small fields. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 521-536. Springer, Heidelberg (2006).

Digital Library

[8]

Claise, B.: Cisco Systems NetFlow Services Export Version 9, RFC 3954 (October 2004).

[9]

Croux, C., Filzmoser, P., Oliveira, M.: Algorithms for projection-pursuit robust principal component analysis. In: Chemometrics and Intelligent Laboratory Systems (2007).

[10]

Croux, C., Haesbroeck, G.: Principal component analysis based on robust estimators of the covariance or correlation matrix: Influence functions and efficiencies. In: BIOMETRIKA (2000).

[11]

Damg�rd, I., Ishai, Y., Kr�igaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 241-261. Springer, Heidelberg (2008).

Digital Library

[12]

Damgard, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier's probabilistic public-key system. In: Public Key Cryptography, Springer, Heidelberg (2001).

Digital Library

[13]

Duan, Y., Youdao, N., Canny, J., Zhan, J.: P4P: Practical large-scale privacypreserving distributed computation robust against malicious users.

[14]

Goldreich, O.: Secure multi-party computation. Theory of Cryptography Library (1999), http://philby.ucsb.edu/cryptolib/BOOKS

[15]

Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: ACM Symposium on Theory of Computing (1987).

Digital Library

[16]

Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576. Springer, Heidelberg (1992).

[17]

Huang, Y., Feamster, N., Lakhina, A., Xu, J.: Diagnosing network disruptions with network-wide analysis. SIGMETRICS (2007).

Digital Library

[18]

Edward Jackson, J., Mudholkar, G.S.: Control procedures for residuals associated with principal component analysis. Technometrics 21, 341-349 (1979).

[19]

Kiltz, E., Mohassel, P., Weinreb, E., Franklin, M.K.: Secure linear algebra using linearly recurrent sequences. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 291-310. Springer, Heidelberg (2007).

Digital Library

[20]

Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. ACM SIGCOMM, pp. 219-230 (2004).

Digital Library

[21]

Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. ACM SIGCOMM, pp. 217-228 (2005).

Digital Library

[22]

Lehoucq, R.B., Sorensen, D.C.: Deflation techniques for an implicitly restarted arnoldi iteration. SIAM J. Matrix Anal. Appl. (1996).

Digital Library

[23]

Lindell, Y., Pinkas, B.: Secure multiparty computation for privacy-preserving data mining (2008), http://eprint.iacr.org/

[24]

Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 223-238. Springer, Heidelberg (1997).

Digital Library

[25]

Ringberg, H., Soule, A., Rexford, J., Diot, C.: Sensitivity of pca for traffic anomaly detection. SIGMETRICS (June 2007).

Digital Library

[26]

Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Foundations of Secure Computation (1978).

[27]

Rubenstein, B., Nelson, B., Huang, L., Joseph, A., Lau, S., Rao, S., Taft, N., Tygar, D.: Antidote: Understanding and defending against poisoning of anomaly detectors. In: Tavangarian, D., Kirste, T., Timmermann, D., Lucke, U., Versick, D. (eds.) IMC 2009. Communications in Computer and Information Science, vol. 53, Springer, Heidelberg (2009).

Digital Library

[28]

Silveira, F., Diot, C.: Urca: pulling out anomalies by their root causes. INFOCOM (March 2010).

Digital Library

[29]

Sleijpen, G.L.G., der Vorst, H.A.V.: A jacobi-davidson iteration method for linear eigenvalue problems. SIAM Rev. (2000).

Digital Library

[30]

Soule, A., Ringberg, H., Silveira, F., Rexford, J., Diot, C.: Detectability of traffic anomalies in two adjacent networks (2007).

[31]

Vasudevan, R., Mao, Z., Spatscheck, O., Van der Merwe, J.: Reval: A tool for real-time evaluation of DDoS mitigation strategies. In: USENIX ATC (2006).

Digital Library

[32]

Weng, J., Zhang, Y., Hwang, W.: Candid covariance-free incremental principal component analysis. IEEE Trans. on Pattern Analysis and Machine Intelligence (2003).

Digital Library

[33]

Xu,W., Huang, L., Fox, A., Patterson, D., Jordan, M.: Detecting large-scale system problems by mining console logs. In: SOSP (2009).

Digital Library

[34]

Yao, A.: Protocols for secure computations (extended abstract). In: FOCS (1982).

Digital Library

[35]

Zhang, Y., Ge, Z., Greenberg, A., Roughan, M.: Network animography. In: IMC (2005).

Digital Library

Cited By

Zhao MZhou WGurney AHaeberlen ASherr MLoo B(2016)Private and verifiable interdomain routing decisionsIEEE/ACM Transactions on Networking10.1109/TNET.2015.240923324:2(1011-1024)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.1109/TNET.2015.2409233
Bian HZhu LShen MWang MXu CZhang Q(2015)Privacy-Preserving Anomaly Detection Across Multi-domain for Software Defined NetworksRevised Selected Papers of the 7th International Conference on Trusted Systems - Volume 956510.1007/978-3-319-31550-8_1(3-16)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1007/978-3-319-31550-8_1
Chen YQiu LZhang YXue GHu ZLee SSabharwal ASinha P(2014)Robust network compressive sensingProceedings of the 20th annual international conference on Mobile computing and networking10.1145/2639108.2639129(545-556)Online publication date: 7-Sep-2014
https://dl.acm.org/doi/10.1145/2639108.2639129
Show More Cited By

Index Terms

P3CA: private anomaly detection across ISP networks
1. Networks
  1. Network services
    1. Network monitoring
2. Security and privacy

Recommendations

Enabling novel premium service classes in DiffServ over MPLS-enabled network

Network resources dimensioning and traffic engineering influence the quality in provisioned services required by the Expedited Forwarding (EF) traffic in production networks established through DiffServ over MPLS-enabled network. By modeling EF traffic ...
Traffic shaping and bandwidth allocation algorithms for vbr traffic
An end-to-end QoS framework with on-demand bandwidth reconfiguration

This paper proposes a new QoS framework, called the On-Demand QoS Path framework (ODP). It provides end-to-end QoS guarantees to individual flows with minimal overhead, while keeping the scalability characteristic of DiffServ. ODP exercises per-flow ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

PETS'11: Proceedings of the 11th international conference on Privacy enhancing technologies

July 2011

285 pages

ISBN:9783642222627

Editors:
Simone Fischer-H�bner
Karlstad University, Department of Computer Science, Karlstad, Sweden
,
Nicholas Hopper
University of Minnesota, Department of Computer Science and Engineering, Minneapolis, MN

Sponsors

Microsoft: Microsoft

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 27 July 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 19 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhao MZhou WGurney AHaeberlen ASherr MLoo B(2016)Private and verifiable interdomain routing decisionsIEEE/ACM Transactions on Networking10.1109/TNET.2015.240923324:2(1011-1024)Online publication date: 1-Apr-2016
https://dl.acm.org/doi/10.1109/TNET.2015.2409233
Bian HZhu LShen MWang MXu CZhang Q(2015)Privacy-Preserving Anomaly Detection Across Multi-domain for Software Defined NetworksRevised Selected Papers of the 7th International Conference on Trusted Systems - Volume 956510.1007/978-3-319-31550-8_1(3-16)Online publication date: 7-Dec-2015
https://dl.acm.org/doi/10.1007/978-3-319-31550-8_1
Chen YQiu LZhang YXue GHu ZLee SSabharwal ASinha P(2014)Robust network compressive sensingProceedings of the 20th annual international conference on Mobile computing and networking10.1145/2639108.2639129(545-556)Online publication date: 7-Sep-2014
https://dl.acm.org/doi/10.1145/2639108.2639129
Zhao MZhou WGurney AHaeberlen ASherr MLoo B(2012)Private and verifiable interdomain routing decisionsACM SIGCOMM Computer Communication Review10.1145/2377677.237775542:4(383-394)Online publication date: 13-Aug-2012
https://dl.acm.org/doi/10.1145/2377677.2377755
Zhao MZhou WGurney AHaeberlen ASherr MLoo BEggert LOtt JPadmanabhan VVarghese G(2012)Private and verifiable interdomain routing decisionsProceedings of the ACM SIGCOMM 2012 conference on Applications, technologies, architectures, and protocols for computer communication10.1145/2342356.2342434(383-394)Online publication date: 13-Aug-2012
https://dl.acm.org/doi/10.1145/2342356.2342434
Liu WWang LRen KCheng PDebbabi M(2012)k-indistinguishable traffic padding in web applicationsProceedings of the 12th international conference on Privacy Enhancing Technologies10.1007/978-3-642-31680-7_5(79-99)Online publication date: 11-Jul-2012
https://dl.acm.org/doi/10.1007/978-3-642-31680-7_5

View Options

View options

Media

Figures

Other

Tables

View Table of Contents